X509证书,DigitalSignature与不可否认(C#)
[英]X509 Certificates, DigitalSignature vs NonRepudiation (C#)
问题描述
We have been handed a set of test sertificates on smart cards for developing a solution that requires XML messages to be signed using PKI. 
我们已经在智能卡上获得了一组测试证书,以开发一种要求使用PKI对XML消息进行签名的解决方案。 Each (physical) smart card seems to have two certificates stored on it. 每个(物理)智能卡似乎都存储有两个证书。 I import them into the Windows certificate store using software supplied by the smart card provider, and then use code resembling the following to iterate over the installed certificates: 我使用智能卡提供程序提供的软件将它们导入Windows证书存储,然后使用类似于以下代码的代码遍历已安装的证书:
foreach (X509Certificate2 x509 in CertStore.Certificates) {
foreach (X509Extension extension in x509.Extensions) {
if (extension.Oid.Value == "one we are interested in") {
X509KeyUsageExtension ext = (X509KeyUsageExtension)extension;
if ((ext.KeyUsages & X509KeyUsageFlags.DigitalSignature) != X509KeyUsageFlags.None) {
// process certs here
We have been told to use the certificates that have the NonRepudiation key usage flag set to sign the XMLs. 我们被告知使用设置了不可否认密钥使用标志的证书来对XML进行签名。 However, the certificate that has the NonRepudiation flag has this flag only , and not for instance the DigitalSignature flag which I check for above. 但是,具有NonRepudiation标志的证书仅具有此标志,而不是我上面检查过的DigitalSignature标志。 Does this strike anyone but me as slightly odd? 这会打击我以外的人吗? I am in other words told to sign with a certificate that does not (appear to) have the DigitalSignature usage flag set. 换句话说,我被告知要使用未(似乎)未设置DigitalSignature使用标志的证书进行签名。 Is this normal procedure? 这是正常程序吗? Any comments? 任何意见?
Thanks. 谢谢。
3 个解决方案
解决方案1
1 已采纳 2009-12-21 09:51:41
What key use does it have? 它有什么主要用途? You're right, this is a little odd, however if, for example, the key was used to provide AD logins then it may not have the flags set for DigitalSignature use. 没错,这有点奇怪,但是,例如,如果密钥用于提供AD登录,则可能未设置用于DigitalSignature的标志。 That's not to say you can't use it for that, it just indicates that the certificate issuer provides no guarantee when you go outside the key's indicated usage. 这并不是说您不能为此使用它,仅表示当您超出密钥指示的使用范围时,证书颁发者不提供任何保证。
解决方案2
1 2010-01-10 16:49:02
As I read RFC 5280 (4.2.1.3), nonRepudiation is a superset of digitalSignature. 当我阅读RFC 5280 (4.2.1.3)时,不可否认是digitalSignature的超集。 In other words it grants all the abilities of digitalSignature and then some. 换句话说,它授予了DigitalSignature的所有功能,然后授予了某些功能。 So technically, what they are asking for is valid, though perhaps unusual. 因此,从技术上讲,他们要求的是有效的,尽管可能与众不同。
解决方案3
1 2010-06-10 14:19:25
If you want to provide a non-repudiation service, ie you want signatures have a LEGAL value, then you are supposed to use nonRepudiation only. 如果要提供不可否认性服务,即您希望签名具有LEGAL值,则应该仅使用不可否认性。 Indeed, this is RECOMMENDED by standards (see ETSI TS 102 280) since the usage of other keyUsage bits together with nonRepudation may have security issues. 实际上,这是标准推荐的标准(请参阅ETSI TS 102 280),因为将其他keyUsage位与nonRepudation一起使用可能会带来安全问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.